KVM: VMX: Fix host GDT.LIMIT corruption

commit 3444d7da1839b851eefedd372978d8a982316c36 upstream.

vmx does not restore GDT.LIMIT to the host value, instead it sets it to 64KB.
This means host userspace can learn a few bits of host memory.

Fix by reloading GDTR when we load other host state.

Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index ee03679efe788d61e73d76f818931d8c1a45fad2..7d043883d9bc8e73891f78f3ef061b5eee5d622c 100644 (file)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -177,6 +177,7 @@ static u64 construct_eptp(unsigned long root_hpa);
 static DEFINE_PER_CPU(struct vmcs *, vmxarea);
 static DEFINE_PER_CPU(struct vmcs *, current_vmcs);
 static DEFINE_PER_CPU(struct list_head, vcpus_on_cpu);
+static DEFINE_PER_CPU(struct desc_ptr, host_gdt);
 
 static unsigned long *vmx_io_bitmap_a;
 static unsigned long *vmx_io_bitmap_b;
@@ -812,6 +813,7 @@ static void __vmx_load_host_state(struct vcpu_vmx *vmx)
                wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
        }
 #endif
+       load_gdt(&__get_cpu_var(host_gdt));
 }
 
 static void vmx_load_host_state(struct vcpu_vmx *vmx)
@@ -1314,6 +1316,8 @@ static int hardware_enable(void *garbage)
 
        ept_sync_global();
 
+       store_gdt(&__get_cpu_var(host_gdt));
+
        return 0;
 }